Transcription
Federal Public Key Infrastructure Policy Authority (FPKIPA)DRAFT Minutes of the 8 May 2007 MeetingGSA National Capital Region, 7th and D Streets, SW, Washington, DC. (Room 5700)A.1.2.3.4.5.6.7.8.9.10.11.12.B.AGENDAWelcome / IntroductionsDiscussion / Vote on 10 April 2007 FPKIPA MinutesDiscussion/Vote on the FPKIPA CharterDiscuss Proposed Changes to the FPKIPA By-LawsFPKI Operational Authority (FPKI OA) Report1) Status of the OA Transition2) MIT LL Interoperability Testing StatusStatus of the DoD Two-Way Cross Certification ActivitiesCertiPath/DoD: Citizenship/Security Clearance IssueUpdate on SSP-WG Activities1) HSPD-12 Implementation Issues: Size of PIV Certificate2) FIPS 201 Change Proposal3) Foreign National IndicatorDiscussion/Vote on Revised Common Policy [in 3647 format]FPKIPA Certificate Policy Working Group (CPWG) Report1) Discuss SAFE Bridge Mapping2) C4CP Revision StatusFinal Meeting Items1) Other Topicsi. Summary of NIST PKI R&D Workshopii. Proposed Agenda Items for next FPKIPA Meeting – 12 June 2007 (at USPS)Adjourn MeetingATTENDANCE LISTVOTING MEMBERSThe meeting began with a quorum of 10 voting members of fourteen present, of 71%, where a two-thirdsmajority vote was required. Two members joined the meeting in progress, after the first vote. The final quorumfor all subsequent voting was 12 voting members out of 14, or an 85% majority. USPTO continues without anappointed representative in attendance.NOTE: Contact information has been removed at the request of FPKIPA members. This information will be posted to a secure web site forFPKIPA members only at some point in the future. FPKIPA minutes already posted on the website have been redacted to remove POCinformation. FPKIPA members needing POC information on other members and participants should contact the Secretariat t of Commerce (NIST)-ProxyDepartment of DefenseDepartment of Health & HumanServices (Proxy to Department ofState)Department of Homeland SecurityDepartment of JusticeDepartment of StateDepartment of the TreasuryNameProxy to Dave Cooperof NISTMitchell, DeborahProxy to Department ofStateHagerling, DonMorrison, ScottCaldwell, SallySchminky, JimTelephoneTeleconferenceTeleconference
OrganizationDrug Enforcement Administration (DEACSOS)GPOGSANASANuclear Regulatory CommissionUSPSUSPTONameJewell, ChrisTelephoneTeleconferenceHannan, JohnProxy to JudithSpencer, Acting ChairABSENTSulser, DavidStepongzi, MarkNo ionDepartment of State (Contractor -ManTech)FPKI/FICC Support (Contractor-General Dynamics InformationTechnology)FPKIPA Secretariat (Contractor -Enspier Technologies/ProtivitiGovernment Services)E-Authentication PMOE-Authentication PMOIdenTrustIdenTrustState of IllinoisFPKI OA (Contractor, SRA, sub toEnspier)SSA (Contractor, Jacob & Sundstrom)DISA PMOKPMGC.NameTelephoneFroehlich, Charles R.Petrick, BrantFincher, Judy, Ph.D.Marsh, GeorgiaFrazier-McElveen,MyishaYoung, KennyWilson, BenAnderson, MarkCampbell, DonSimonetti, DavidVillasenor, JackieFaut, leconferenceMEETING ACTIVITYAgenda Item 1Welcome / Introductions—Ms. Judith Spencer, Acting ChairThis meeting was at the GSA National Capital Region Building (7th and D Streets, SW) in Washington, DC.Judith Spencer, Acting Chair in the absence of the Chair, Dr. Peter Alterman, called the meeting to order at 9:40a.m. with the attendee roll call.Agenda Item 2Discussion / Vote on 10 April 2007 FPKIPA Minutes—Judy FincherNine of the 14 voting members, present at the time of the vote, voted “yes”, with one abstention, or 9/13 (64.3%)where a simple majority vote (50%) was required. Two members joined the meeting after this vote. Theseapproved meeting minutes were posted to the FPKIPA website on May 9.2
Approval vote for 10 April 2007 FPKIPA MinutesVote (Motion – DoS ; 2nd – Treasury)YesNoAbstainDepartment of Commerce –Proxy to Dave Cooper of NISTDepartment of Defense Department of Health & Human Services –Proxy to Department of StateDepartment of Homeland SecurityABSENT FORTHIS VOTEDepartment of Justice Department of State Department of the Treasury Drug Enforcement Agency (DEA CSOS) GPOABSENT FORTHIS VOTEGSA (Proxy to Acting Chair, Ms. Judith Spencer) NASAABSENT-DIDNOT VOTENuclear Regulatory Commission (NRC) USPS USPTO (Ms. Queen to designate someone)ABSENT-DIDNOT VOTEVoting members.Agenda Item 3Discussion/Vote on the FPKIPA Charter—Judith SpencerAn effort to amend the draft Charter, as presented, to remove the term limit for the Chair position failed. Therewere five “Yes” votes in support of the motion; five “No” votes; and 2 abstentions, or 50% voting “Yes” where a75% majority vote was required (to amend the Charter).Vote on FPKIPA Charter – Proposed Amendment to Remove the 4-Year Restriction on the Length ofTime the Chair can ServeVoting membersVote (Motion – NRC; 2nd – Treasury)YesNoAbstainDepartment of Commerce (Proxy to Dave Cooper of NIST)Department of Defense Department of Health & Human Services (Proxy to DoS)Department of Homeland Security Department of Justice Department of State Department of the Treasury Drug Enforcement Agency (DEA CSOS) GPO GSA (Proxy to Judith Spencer, Acting Chair) NASAABSENT FOR THISVOTE3
Nuclear Regulatory CommissionUSPSUSPTO ABSENT FOR THISVOTE—NOREPRESENTATIVEAnother motion to remove references to ACES and the E-Authentication architecture umbrella in section 3.1.4 ofthe Charter passed with 12/14 voting in favor, or 85.7%, where a 75% majority vote was required.Section 3.1.4 of the Charter has been revised to read as follows: (deleted text is struck through)Agencies Acquiring Certificate Services from Service Providers Cross Certified with theFBCAVendors providing PKI certificate services are recognized and included under the Common Policy Frameworkthrough both the GSA Access Certificates for Electronic Services (ACES) program (Federal Employee Profile)and the Shared Service Provider (SSP) program. In addition, commercial certificate service providers may becross-certified with the Federal Bridge CA.The FPKIPA agreed that the ACES program had been over taken by events, e.g., the SSPs come under theCommon Policy. Under HSPD-12, agencies have to buy services from SSPs, so ACES becomes moot.Vote on FPKIPA Charter – Motion to Remove the reference to ACES and the E-Auth Umbrella in Section3.1.4 of the Charter (as amended by DHS)Voting membersVote (Motion –Treasury ; 2nd – DHS)YesNoAbstainDepartment of Commerce (Proxy to Dave Cooper of NIST)Department of Defense Department of Health & Human Services –Proxy to DoSDepartment of Homeland Security Department of Justice Department of State Department of the Treasury Drug Enforcement Agency (DEA CSOS) GPO GSA (Proxy to Judith Spencer, Acting Chair) NASAABSENT FOR THISVOTENuclear Regulatory Commission USPS USPTOABSENT FOR THISVOTE—NOREPRESENTATIVEACTION: Judith Spencer and Judy Fincher will work the revision off-line and send out the revised text by COBMay 11. Ms. Fincher will then conduct an e-vote on the revised section 3.1.4.As a result of the proposed and defeated change to remove term limits for the FPKIPA Chair, the vote to adoptthe revised Charter was postponed pending further discussion and possible re-write of that section.4
Agenda Item 4Discuss Proposed Changes to the FPKIPA By-Laws—Dr. Tice DeYoungDue to the absence of Dr. DeYoung this item was not discussed. It has been postponed for discussion until the12 June 2007 FPKIPA meeting.Agenda Item 5FPKI Operational Authority (FPKI OA) Report—Ms. Cheryl Jenkins1)Status of the OA TransitionDon Campbell (FPKI OA, Contractor, SRA) reported on the OA Transition in the absence of Ms. Jenkins. Mr.Campbell said that the OA production equipment has not been delivered, but that the OA lab has beentransitioned and is operational. The new team is in the process of taking over and is now fully trained in OAtechnology, policy and procedures, he said. We are half-way through the badging process and the Help Desk isbeing set up (phone lines and e –mail system).Ms. Spencer noted that the C&A is being done in two phases. The “delta” C&A will be completed by June andthe full C&A will be completed by September. This will ensure that the ATO is kept intact, she said.2)MIT LL Interoperability Testing StatusThis item was not discussed.Agenda Item 6Status of the DoD Two-Way Cross-Certification Activities—Ms. Debbie MitchellMs. Mitchell continues to provide monthly updates to the FPKIPA, until such time the DoD is two-way crosscertified. Ms. Fincher distributed the May 2007 Status: DoD Two-Way Cross-Certification with the FederalBridge, via the listserv prior to the May 8 FPKIPA meeting.The highlights of that report are:1) The DoD expects that the work will be completed in June to put up the DoD interoperabilityroot. The DoD will use the interoperability root to provide two-way cross-certification and willcross certify at Medium Hardware.2) The DoD CP has not changed, since the Medium Hardware OIDs are already there. There wasan inconsistency regarding mapping at Medium Hardware.3) Everything outside of DoD comes through this root. The Relying Party application owners throughoutDoD will have to make a conscious decision to use the interoperability root as the trust anchor and theDoD application owners will have to decide whom outside of DoD they will trust. DoD has not directedthe application owners to accept certs from designated agencies. The agencies have to be pro-active toachieve that interoperability.It was pointed out by DHS (Don Hagerling) that you still have to get DoD to identify the sites that are involvedand who your service partners are. Then you have to make sure that they know that they are supposed to usethe DoD interoperability root to achieve interoperability with non-DoD entities.Agencies can point their DoD partners for more information to Debbie Mitchell and Don Fuller’s e-mailaddresses (see below). Once either Ms. Mitchell or Mr. Fuller is contacted, he/she will start discussions aboutinteroperability pilots with Federal partners.5
Debbie Mitchell: dmmitc3@missi.ncsc.milDon Fuller: Donald.Fuller.ctr@osd.milCharles Froehlich, ManTech supporting Department of State, requested that DoD engage in a similar “publicity”campaign to alert DoD application owners who routinely deal with non-DoD entities that they will have to makethis change, and to alert their counterparts. Ms. Mitchell agreed.Agenda Item 7CertiPath/DoD: Citizenship/Security Clearance Issue—Ms. Judith SpencerMs. Spencer provided information on this initiative as a “heads up” to the FPKIPA. No action is required of thePolicy Authority today, although the Policy Authority will be asked to vote on this issue at a subsequent meeting.The FPKIPA has been in discussions with CertiPath and its international partners (EU and Australia) regardingthe requirements for trusted roles in the FBCA CP. The FBCA CP requires that trusted roles be performed bycitizens of the country in which the CA resides. In the EU, you are not allowed to discriminate against anymember of the EU. CertiPath and its international partners are proposing that we utilize existing bi-lateral and/orNATO agreements to accept security clearances (Secret) in lieu of the citizenship requirement.CertiPath and the FPKIPA are convening a meeting on May 10 in Arlington of interested parties to discuss thisissue and try to develop a U.S. Federal position. Ms. Spencer extended an invitation to all FPKIPA votingmembers to participate and to send their legal staff to the meeting. Ms. Fincher sent out an invitation to FPKIPAvoting members on May 7. Thus far, no agencies have stepped forward to volunteer their legal resources tosupport this meeting.Agenda Item 8Update on SSPWG Activities—Ms. Judith SpencerHSPD-12: This is an informational item related to PIV card tests. Although NIST identified a maximum cert sizein NIST SP 800-73, Appendix A., in practice, the certs are larger. Dave Cooper said that NIST SP 800-73-1sets minimum capacity limits for PIV Card containers, not a maximum. You are constrained only by the spaceon the card. There are ways to save space on the card, but if you do not use them, you will need a larger card.Agencies are currently using 64k cards Agencies will have to transition to a 128K card at a minimum, but they are notcurrently available in a FIPS 140-2, level 2, certified version.1) .The HSPD-12 ESC Support Team has asked that the FPKI Policy Authority “consider if maximumcertificate sizes should be established by FPKIPA policy that would apply to PIV certificates. No actionwas taken at this meeting regarding this issue.2) FIPS 201 Change Proposal: Ms. Spencer developed a two-page executive summary of the FPKIPAFIPS 201 Change Proposal at the request of OMB. The next hurdle is to get the NIST Director to sign it.Ms. Spencer has asked Tim Polk to staff it. Once it is signed, it will then go to the HSPD-12 ESC. MaryDixon of DoD is supporting the FPKIPA for this effort. The Change Proposal will change Section 5.4.4of FIPS 201 to allow legacy agencies to continue to operate as they are now.She noted that agencies will still have to stand up OCSP, HTTP and LDAP servers.3) Foreign National Indicator (FN Indicator): Ms. Spencer said that the HSPD-12 ESC wants agencies tofill out the subjectdirectoryattributes extension in the profile with the two-letter international countrycode, e.g., U.S. This is because the new HSPD-12 badges have three-color designations: 1) no band US citizen, Federal (direct-hire) employee 2) green band contractor, 3) blue band Foreign National.Ms. Spencer said this decision had already been made and that it will go into the FIPS 201 amendment.Debbie Mitchell expressed concern that DoD might not be following the rules. DEERS might havecaptured the two-digit code, but it might not be in NACI, she said. Ms. Mitchell wanted to know what therules are. Ms. Spencer said that guidance will be available by September and in the meantime, tocontact Debb Gallagher, the head of the DoD Common Access Card Office (who replaced Mike Butler).The guidance will be incorporated into an NIST Special Publication, to a Bulletin related to FIPS 201, ordirectly into FIPS 201, according to Ms. Spencer. Ben Wilson (IdenTrust) said that for the DoD ECAprogram, as of July 1, you have to identify all FNs and put it in the certificate.6
Agenda Item 9Discussion/Vote on the Revised Common Policy [in 3647 format]—Judith SpencerMs. Spencer said the revised Common Policy had been sent to the FPKIPA listserv over two weeks ago andthat it is final except for one comment bubble in section 4.9.7 which reads: Legacy PKIs must be addressed byeither removing FIPS 201 requirement or addressing off line CAs.There was much discussion about the Common Policy.1) David Sulser (NRC) pointed out that the text in the Foreword was different from that in the Introductionand wanted to know how much of the language in the Foreword is meaningful. Ms Spencer said thatthe third paragraph of the Foreword means that this policy constitutes a Trust Anchor. Any CA wantingto subordinate under this policy can, irrespective if it is a single CA, a hierarchical CA, a self-signed CA,or a mesh. Under the SSP program, we are creating a hierarchy under the Common Policy root. Wecannot allow non-federal entities to use Common Policy OIDs unless they are an SSP, she said.In an aside, Mr. Sulser also pointed out that the Bibliography does not currently contain a reference to SSPREP—the Shared Service Provider Repository Service Requirements [SSP REP].2) Debbie Mitchell said that the DoD still has a problem with section 3.1.2. The reference to therequirement for Common Name Uniqueness is no longer there, but it is in the FBCA CP. Dave Coopersaid that you can’t have two entities assigned the same name (DNs), but that two people can have thesame Common Name. Judith Spencer said you can’t rely on Common Name alone. Don Hagerlingsaid that if Common Names were unique, you would not need DNs. Debbie Mitchell said that acrossthe entire DoD, you differentiate Common Names with a ten-digit number, as in DEERS. Dave Coopersaid this is not allowed in the Common Policy, and that it is not required by the FBCA CP, although it isallowed. Don Hagerling said that without a common root, you cannot differentiate between CommonNames. You have to use the DN (location). Ms. Mitchell asked to delay the vote, saying that DoD doesnot want to come under the Common Policy.ACTION: Judith Spencer and DoD will go off-line to discuss name uniqueness. She suspects there is namecollision.3) Jim Schminky (Treasury) proposed we amend the Common Policy to add language about legacy CA’snow.He proposed an amendment to sections 4.9.7 and 5.1.8 to allow legacy PKIs to run off-line CAs with 30-dayCRLs. The vote to amend these two sections failed. There were 8 “yes” votes, 2 “no” votes and two abstentions(8/12), or 67%, where a 75% majority vote was required. [NOTE: The 75% majority vote to amend Common isnot specifically addressed in the Charter, although voting requirements to amend other policies required 75%majority vote. This need to be addressed in the Charter revision process.] The amendment did not pass andthe Common Policy document stands as is. Ms. Spencer said that if we cannot get relief from OMB aboutlegacy PKIs having to assert the Common Policy OIDs by January 1, 2008, then we will have to change thelanguage in the Common Policy at that time.Approval Vote to Amend Sections 4.9.7 and 5.1.8 of the Common Policyto allow Legacy PKI’s to run off-line CAsVoting membersVote (Motion – Treasury ; 2nd – DoS)YesNoAbstainDepartment of Commerce (Proxy to Dave Cooper of NIST)7
Department of DefenseDepartment of Health & Human Services –Proxy toDoSDepartment of Homeland SecurityDepartment of JusticeDepartment of StateDepartment of the TreasuryDrug Enforcement Agency (DEA CSOS)GPOGSA (Proxy to Judith Spencer, Acting Chair)NASANuclear Regulatory Commission (NRC)USPSUSPTO ABSENT-DIDNOT VOTE ABSENT-DIDNOT VOTE(NoRepresentative)The FPKIPA then proceeded to vote on the Common Policy “as is.” Eleven of the 13 members whovoted (with one abstention) voted to approve the Common Policy, or 85%, where a 75% majority wasrequired. The vote to accept the Revised Common Policy in 3647 format passed.ACTION: Judith Spencer will remove the remaining comment bubbles from the Common Policydocument and provide it to the webmaster (Brant Petrick) for posting. The accompanying matrices willbe reviewed for consistency and then posted, as well.Approval vote for Revised Common Policy [in 3647 format]—AS ISVote (Motion –DHS ; 2nd – GPO)YesNoAbstainDepartment of Commerce (Proxy to Dave Cooper of NIST)Department of Defense Department of Health & Human Services –Proxy to DoSDepartment of Homeland Security Department of Justice Department of State Department of the Treasury Drug Enforcement Agency (DEA CSOS) GPO GSA (Proxy to Judith Spencer, Acting Chair) NASAABSENT-DIDNOT VOTENuclear Regulatory Commission USPS USPTOABSENT-DIDNOT VOTE(NoRepresentative)Voting members8
Agenda Item 10FPKI Certificate Policy Working Group (CPWG) Report—Dave Cooper1)Discuss SAFE Bridge MappingThe CPWG met with SAFE representatives last month and has agreed to put forward a FBCA CP ChangeProposal for FPKIPA vote. These five or six changes fall into the category of “no harm, no foul,” Judith Spencersaid. She will issue a memo to SAFE, once the CPWG obtains FPKIPA approval of these proposed changes(FBCA CP Change Proposal: 2007-03). Debbie Mitchell asked if the revised Criteria and Methodologyprocedures were being followed in the SAFE Bridge cross-certification process. Ms. Spencer said that SAFEwas mapping every section of the CP, including the Introduction and section 9 (legal requirements), incompliance with the revised Crits and Methods processes.2)C4CP Revision StatusDave Cooper said that he had
Federal Public Key Infrastructure Policy Authority (FPKIPA) DRAFT Minutes of the 8 May 2007 Meeting . USPTO continues without an appointed representative in attendance. NOTE: Contact information has been removed at the request of FPKIPA members. . Vendors providing PKI certificate service
